Some ideas and info.

Some ideas and info.

[Nikolay]

Hi. I was wondering if you've thought about implementing non-exec pages and
stack randomization?
In case that the user hasn't got the PaX patches it's nice to be protected
at least a little more isn't it ? I think that at least basic
implementations of such mechanisms is needed and would help in improving the
security level.
I could implement such ideas, if you'd like ofcourse.

(Sorry for my poor english (it's not my native language. I also intend to
write often here, I like the ideas of your project and I would be glad to
help you.)
Best regards,
Nikolay


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Some ideas and info.

[Joshua Brindle]

Nikolay wrote:

>Hi. I was wondering if you've thought about implementing non-exec pages and
>stack randomization?
>In case that the user hasn't got the PaX patches it's nice to be protected
>at least a little more isn't it ? I think that at least basic
>implementations of such mechanisms is needed and would help in improving the
>security level.
>I could implement such ideas, if you'd like ofcourse.
>
>(Sorry for my poor english (it's not my native language. I also intend to
>write often here, I like the ideas of your project and I would be glad to
>help you.)
>Best regards,
>Nikolay
>
>
>--
>This message was distributed to subscribers of the selinux mailing list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>the words "unsubscribe selinux" without quotes as the message.
>
>  
>
Memory protections are well outside the scope of SELinux (which includes 
only mandatory access control), however the Gentoo (of which I am a 
part) have a patch to integrate PaX flags into SELinux policy, it's 
available if you are interested.

Joshua Brindle

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Some ideas and info.

[Luke Kenneth Casson Leighton]

hello nikolay, from one random selinux user to another, welcome to
the nsa's selinux list.

okay.  selinux was designed to add fine grained auditing and "mandatory"
access control because of concerns over the use in US government
departments of an over-20-year-old security model - i.e. ordinary
non-selinux-enhanced linux.

i presume that the nsa's expertise was best spent focussing on this
specific "lack", given that other research projects were concentrating
on things like PAX, MPPE support etc. (e.g. the http://adamantix.org stuff)

so yes, it'd be great to have additional security measures in place.

i think you'll find that gentoo (hardened) have made use of as many
as they can find.

however the people on _this_ list specifically focus on selinux -
perhaps on its own, perhaps in combination with other security measures
(like gentoo hardened do).

so, with that in mind, can i please ask you a favour?

can i "steer" you in the direction of adamantix.org, because i would
_really_ like to see debian have all of the adamantix.org stuff minus
the RSBAC stuff plus selinux stuff.

it's a bit unfortunate that a lot of this stuff requires a total
recompile of all packages, which is probably why gentoo has it a
bit easier.

l.


On Sun, Aug 01, 2004 at 04:20:54AM -0000, Nikolay wrote:

> Hi. I was wondering if you've thought about implementing non-exec pages and
> stack randomization?
> In case that the user hasn't got the PaX patches it's nice to be protected
> at least a little more isn't it ? I think that at least basic
> implementations of such mechanisms is needed and would help in improving the
> security level.
> I could implement such ideas, if you'd like ofcourse.
> 
> (Sorry for my poor english (it's not my native language. I also intend to
> write often here, I like the ideas of your project and I would be glad to
> help you.)
> Best regards,
> Nikolay
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.

-- 
-- 
Information I post is with honesty, integrity, and the expectation that
you will take full responsibility if acting on the information contained,
and that, should you find it to be flawed or even mildly useful, you
will act with both honesty and integrity in return - and tell me.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Some ideas and info.

[Luke Kenneth Casson Leighton]

joshua, hi,

at the risk of sounding like an aol bulletin-board-service wannabe,
"me too!"

l.

On Sun, Aug 01, 2004 at 01:46:19AM -0400, Joshua Brindle wrote:

> Memory protections are well outside the scope of SELinux (which includes 
> only mandatory access control), however the Gentoo (of which I am a 
> part) have a patch to integrate PaX flags into SELinux policy, it's 
> available if you are interested.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.